Skip to content

Immutable audit trail

Fontana maintains a security audit trail for every workspace: a single, normalized stream of who did what, when, and with what outcome. Events are written to an append-only, tamper-evident ledger (WORM: write once, read many) so later edits or deletes cannot silently rewrite history. That ledger is the system of record for security and compliance review; HyperDX mirrors the same events for day-to-day operator search.

This trail is separate from workflow data lineage (pointer-based provenance from output cells back through transforms). Lineage explains how a number was derived; the immutable audit trail explains privileged and security-relevant activity across the platform. See Compliance evidence for lineage and Security for platform controls.

All security audit paths converge on observability-api inside the workspace cluster. Application code (Flow, workflow engine, Airbyte sidecar) never calls ImmuDB directly. Components either:

  • emit events that observability-api ingests automatically (Zitadel, Kubernetes API audit), or
  • record events in Convex with structured console logs (auditable: true for admin writes), which the webhook forwards to observability-api for ImmuDB append when eligible.
Flow · Convex · workflow engine · Zitadel · cluster APIs
→ observability-api (normalize, redact, dedupe)
→ append-only ImmuDB ledger (tamper-evident)
→ mirror to HyperDX for search and dashboards
SignalImmutable ledger?
Browser errors and product telemetryNo (HyperDX only)
Audit logs → Chat (LLM debug)No (Convex product feature; RBAC-gated)
Admin and security-relevant UI actionsYes, via Convex structured logs (auditable: true) on the log stream → observability-api

Flow has no direct WORM writer. Privileged UI changes are recorded in Convex as structured JSON on the console log stream topic; observability-api maps them to HyperDX and ImmuDB when auditable: true.

SignalImmutable ledger?
General log stream eventsHyperDX mirror only
Structured admin logs (auditable: true)Yes → ImmuDB + HyperDX
Log stream topic audit_log (deployment)Yes → ImmuDB
Tables such as workflow document edit historyNo (mutable application data)

Convex is the primary application path for security audit: RBAC changes, team membership, BYOK configuration, admin deployment settings, and similar mutations emit FontanaObservabilityLog v1 JSON via console.log after successful writes. Flow passes a correlationId per admin action so related logs share one chain id in HyperDX and ImmuDB.

SignalImmutable ledger?
Lifecycle and capacity logsNo (HyperDX via pod logs)
Port audit items on run outputsNo (data-quality semantics on the file store)
Privileged runs and sensitive connector accessTarget: engine → Convex audit_log

The engine does not POST to observability-api for WORM. Operational logs support SRE; security-relevant engine actions should route through Convex.

Fully automated. observability-api polls the Zitadel Events API on a fixed interval using a service credential from Vault. Identity events (sign-in, MFA, federation, role assignment, deprovision, and related types) normalize into the shared schema and append to ImmuDB. No Flow or Convex code is required for this path.

SignalImmutable ledger?
Connector /read, /check, job protocol logsNo (HyperDX via shared pod logs)
External data access classified as security-relevantTarget: workflow engine → Convex audit_log

There is no dedicated Airbyte → ImmuDB pipeline. The sidecar runs beside the workflow engine on localhost only.

Shipped. The cluster audit log is tailed by an OpenTelemetry collector pipeline. Events export to HyperDX and to observability-api audit-ingest, which appends to ImmuDB. Examples: authentication failures, secrets access, destructive verbs in the workspace namespace.

Bundled HyperDX alert rules watch these events (authentication failures, secret access, destructive verbs, ClusterRoleBinding changes). Every alert transition posts a webhook back to observability-api, which appends an alert.fired or alert.resolved record to ImmuDB, so the ledger also evidences that detection operated.

Security audit events share: workspace id, timestamp, actor, action, resource, outcome, correlation id, source, and dedupe id. Sensitive material is redacted before storage. If ImmuDB append fails, webhook and audit-ingest paths return errors (fail closed) rather than dropping events quietly.

CategoryExamplesSource (v1)
Identity and accessSign-in, MFA, role and provisioning changesZitadel Events API (automated)
Platform and clusterFailed auth, secret access, privileged API callsKubernetes API audit
Security alertingAlert fired / resolved on Kubernetes audit eventsHyperDX alert webhook → observability-api
Application and adminRBAC, BYOK, admin configurationConvex log stream structured admin logs (auditable: true) + deployment audit_log
Workflow and AI (security-tagged)Privileged runs, sensitive tool or connector accessTarget: Convex audit_log via engine or backend

Together, these sources give risk and compliance teams a cross-cutting view: identity, cluster, and application activity in one tamper-evident stream.

Each append to the ledger is cryptographically chained with prior state. Fontana runs a daily integrity scan CronJob per workspace:

StageComponentOutput
Scanimmuclient scanCryptographic consistency proof against the full ledger
ArchiveEvidence volume (worm-audit-evidence PVC)Timestamped scan log + JSON manifest (SHA-256, tenant, outcome)
Off-box (optional)S3 Object LockSame files when wormAudit.s3.bucket is configured
OperationsHyperDX OTLPSuccess or failure log (ServiceName:fontana-worm-integrity-scan)

Operators can:

  • Search HyperDX (Fontana — WORM audit dashboard or ServiceName:fontana-worm-integrity-scan) for scan history and optional alert rules
  • Read manifests on the evidence volume for audit packs (see operator runbook)
  • Use HyperDX (ServiceName:fontana-worm-audit) for interactive search of mirrored security events
  • Use in-cluster REST or immuclient for direct ledger verification when HyperDX is not enough

Read-only auditor access can be provisioned separately from the writer credential so reviewers do not share the same secret as the automated append pipeline.

Each workspace is a separate Kubernetes cluster with its own ImmuDB instance, Vault secrets, and PVC-backed storage. Audit data does not share a database or secret store with other workspaces on the same host. Network policy restricts which in-cluster services may write or reach the ledger.

TopicImmutable audit trailWorkflow lineage
Question it answersWho did what on the platform (security and operations)?How was this output value computed from inputs?
StorageAppend-only ImmuDB per workspacePer-run .lineage.json / .audit.json on workflow file store
Primary audienceSecurity, risk, compliance, platform opsOperations, auditors reviewing calculation provenance
UI todayOperator tools (HyperDX mirror, integrity scan Job); not embedded in Flow canvasData Lineage panel on the canvas

For credential and operator access to the ledger, your Fontana deployment team uses workspace-scoped Vault secrets and the WORM audit runbook (k8s/soc2/worm-audit-runbook.md). For diligence packs and control narratives, contact Fontana under NDA.